Skip to content

Misc CVE fixes #4091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 6, 2020
Merged

Misc CVE fixes #4091

merged 1 commit into from
Jan 6, 2020

Conversation

skef
Copy link
Contributor

@skef skef commented Jan 6, 2020

Fix for #4084 Use-after-free (heap) in the SFD_GetFontMetaData() function
Fix for #4086 NULL pointer dereference in the SFDGetSpiros() function
Fix for #4088 NULL pointer dereference in the SFD_AssignLookups() function
Add empty sf->fontname string if it isn't set, fixing #4089 #4090 and many
other potential issues (many downstream calls to strlen() on the value).

Closes #4084
Closes #4086
Closes #4088
Closes #4089
Closes #4090

Meta-note: That I am continually annoyed at the number of open FontForge issues does not imply this is not a waste of time.

Fix for fontforge#4084 Use-after-free (heap) in the SFD_GetFontMetaDa…
8da6d56 
…ta() function

Fix for fontforge#4086 NULL pointer dereference in the SFDGetSpiros() function
Fix for fontforge#4088 NULL pointer dereference in the SFD_AssignLookups() function
Add empty sf->fontname string if it isn't set, fixing fontforge#4089 fontforge#4090 and many
  other potential issues (many downstream calls to strlen() on the value).
ctrlcctrlv
ctrlcctrlv reviewed Jan 6, 2020
View reviewed changes
fontforge/sfd.c
Comment on lines -4035 to +4036
cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
cur->spiros = realloc(cur->spiros,
(cur->spiro_max+=10)*sizeof(spiro_cp));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

>>> L1="                cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));"
>>> L2="""
		cur->spiros = realloc(cur->spiros,
		                      (cur->spiro_max+=10)*sizeof(spiro_cp));"""
>>> import re
>>> re.sub(r'\s+', '', L2) == re.sub(r'\s+', '', L1)
True

What is the purpose of the added line break?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just increasing conformance with the mostly-followed 80 char/line rule while I was in the neighborhood.

ctrlcctrlv
ctrlcctrlv approved these changes Jan 6, 2020
View reviewed changes
Copy link
Member

@ctrlcctrlv ctrlcctrlv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ctrlcctrlv ctrlcctrlv merged commit 048a91e into fontforge:master Jan 6, 2020
@frank-trampe
Copy link
Contributor

You guys played really hard-to-get on this one!

@skef
Copy link
Contributor Author

skef commented Jan 6, 2020

@frank-trampe These sorta feel less like maintenance than gamification.

@frank-trampe
Copy link
Contributor

It's all the rage these days.

@skef skef mentioned this pull request Jan 21, 2020
Merged
@ctrlcctrlv ctrlcctrlv mentioned this pull request Feb 15, 2020
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctrlcctrlv ctrlcctrlv ctrlcctrlv approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@skef @frank-trampe @ctrlcctrlv